npm

@cw-ui/asio-neon-themes @2.0.0

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10556

Ecosystem

npm

Summary

On npm install , postinstall.js reads os.hostname() and embeds it as a query parameter in a plain-HTTP GET to a bare IPv4 address (http://37.60.255.218/skybackground.png?display=<hostname>). This transmits the installer's host identifier to attacker-controlled infrastructure under the cover of an 'image download.' The package metadata, README, and code disagree three ways: package.json declares scope @cw-ui/asio-neon-themes ('themes'), README claims 'Simple Text Utils' with capitalize/reverse/wordCount, and the actual shipped code is an image-fetcher beacon. The author field is the placeholder 'Your Name'. The fetch follows arbitrary 301/302 redirects and writes the response bytes to downloaded-image.jpg inside the package directory with no integrity check, enabling staged-payload delivery — the endpoint can return any bytes, and the redirect handler accepts any destination.

Source: amazon-inspector (dcd2366d31cefc8f66861e0e65c782a88c46dc9232d11d463a9fa2869c73dcaa)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.